IP Intelligence policy

Question

Hi all,&nbsp;
Is there a way to add a custom list to an IP Intelligence policy? &nbsp;
Currently we have an iRule that drops traffic based on addresses/networks we add to a data group. We also have AFM and IP Intelligence available and would like to utilize the Global policy feature to not only use the IP Intelligence database but also our custom list of "bad" IP addresses. I know I can add feeds to the policy but we don't have an internal "feed". &nbsp;
Has anyone else done this? Anyone have any creative ways to accomplish what I am looking to do?&nbsp;
Thanks in advance&nbsp;

mo_99289 · Answer

it might be a possible way, hope it could help.
it still use feed, but make use of httpd service on bigip.
BE AWARE THAT THIS CONFIG IS NOT officially supported by F5.

[root@ve3:Active:Standalone] config  cat &lt;&lt; EOF &gt; /etc/httpd/conf.d/feeds.conf 
&gt; 
&gt;     DocumentRoot /var/feeds
&gt;     LogLevel debug
&gt;     
&gt;         Options Indexes FollowSymLinks MultiViews
&gt;         AllowOverride None
&gt;     
&gt;     KeepAlive Off
&gt; 
&gt; Listen 127.0.0.1:8123
&gt; EOF
[root@ve3:Active:Standalone] config  cat /etc/httpd/conf.d/feeds.conf

DocumentRoot /var/feeds
    LogLevel debug
    
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
    
    KeepAlive Off

Listen 127.0.0.1:8123
[root@ve3:Active:Standalone] config  bigstart restart httpd
Stopping httpd: [  OK  ]
Starting httpd: [  OK  ]
[root@ve3:Active:Standalone] config  netstat -anp | grep 8123
tcp        0      0 127.0.0.1:8123              0.0.0.0:*                   LISTEN      14055/httpd         
[root@ve3:Active:Standalone] config  mkdir /var/feeds; cat &lt;&lt; EOF &gt; /var/feeds/feeds.txt
&gt; 10.2.22.177,32,bl,test_blacklist_category_1
&gt; EOF
[root@ve3:Active:Standalone] config  cat /var/feeds/feeds.txt 
10.2.22.177,32,bl,test_blacklist_category_1
[root@ve3:Active:Standalone] config  tmsh list security ip-intelligence
security ip-intelligence blacklist-category test_blacklist_category_1 { }
security ip-intelligence feed-list test_feed_list {
    feeds {
        feed_list_1 {
            default-blacklist-category test_blacklist_category_1
            poll {
                url http://127.0.0.1:8123/feeds.txt
            }
        }
    }
}
security ip-intelligence global-policy {
    ip-intelligence-policy test_ip_intelligence
}
security ip-intelligence policy ip-intelligence { }
security ip-intelligence policy test_ip_intelligence {
    blacklist-categories {
        test_blacklist_category_1 {
            match-direction-override match-source
        }
    }
    default-log-blacklist-hit-only yes
    default-log-blacklist-whitelist-hit yes
    feed-lists {
        test_feed_list
    }

jdam_41848 · Answer

Thanks mo.

So let me see if I understand your response. You are creating an http listener on the BigIP itself with feeds.conf and using /var/feeds as the root for this web instance.
You put a file feeds.txt in /var/feeds to be your feed list of IP addresses. You add this feed to your test_ip_intelligence policy which is your global policy.

To add addresses to this list, you manually update the feeds.txt file and the changes get picked up by the BigIP by calling itself (127.0.0.1:8123).

Do I have this correct?

mo_99289 · Answer

your understand is correct.

Forum Discussion

IP Intelligence policy

3 Replies

Recent Discussions

iRule resulting in too many redirects

ASM cookie, modifying "domain" field

URL

service profile HTTP in LTM v16.1?

Azure SAML - F5 APM

Related Content

Is there F5 ip intelligence based on domain/FQDN (domain intelligence)?

IP intelligence feed list for ASM/WAF?

IP Intelligence Custom Feed in ASM

Removing an IP address from IP Intelligence database

IP Intelligence troubleshooting